<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Help with line-breaking in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357471#M65274</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I have a feed where it appears that multiple events are being sent on the same line, and I need to break them out.  Can someone help me out?  The break looks like it should be after the Timestamp, these are all appearing on the same line. &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Mar 16 18:44:29 myhostname NTNAME=-SM-XNlwpU2OKY6Z5O9%2fdn3dUlqVlktrStAYeZaWtlO2dtNaD%2f45RYB9%2bb&amp;amp;TARGET=-SM-http%3a%2f%2fshare1%2eapp%2ey%2ecom%2fshare%2fdb%2fGet%2fDocument--2008231%2f s-port=443  cs-username=-   c-ip=x.x.x.x    cs(User-Agent)=Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:58.0)+Gecko/20100101+Firefox/58.0    sc-status=200   sc-substatus=0  sc-win32-status=0   time-taken=62 &amp;lt;13&amp;gt;Mar 16 18:44:29 myhostname AgentDevice=MSIIS  AgentLogFile=u_ex180316 AgentLogFormat=W3C  AgentLogProtocol=W3C    date=2018-03-16 time=18:44:23   s-ip=x.x.x.x    cs-method=GET   cs-uri-stem=/siteminder/ntlm/creds.ntc  cs-uri-query=CHALLENGE=&amp;amp;SMAGENTNAME=-SM-mqLlVsTdZPBzRsxcdlQAR2H4%2bN7cc%2ffYvhe2fzHoB1PFt9kRHccU3f3f0&amp;amp;TARGET=-SM-HTTP%3a%2f%2frtn%2eray%2ezebm%2f   s-port=443  cs-username=-   c-ipx.x.x.x cs(User-Agent)=Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko sc-status=401   sc-substatus=2  sc-win32-status=5   time-taken=31 &amp;lt;13&amp;gt;Mar 16 18:44:29 myhostname AgentDevice=MSIIS  AgentLogFile=u_ex180316 AgentLogFormat=W3C  AgentLogProtocol=W3C    date=2018-03-16 time=18:44:23   s-ip=x.x.x.x    cs-method=GET   cs-uri-stem=/sntnder/ntlm/creds.ntc cs-uri-query=CHALLENGE=&amp;amp;SMAGENTNAME=-SM-mqLlVsTdZPBzRKcdlQAR2H4%2bNqhz7cc%2ffYvhe2fzHoB1PFt9kRHccU3f3f0&amp;amp;TARGET=-SM-HTTP%3a%2f%2fozztn%2fzaay%2gcom%2f   s-port=443  cs-username=-   c-ip=x.x.x.x    cs(User-Agent)=Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko sc-status=401   sc-substatus=1  sc-win32-status=2148074254  time-taken=31 
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Fri, 16 Mar 2018 20:40:22 GMT</pubDate>
    <dc:creator>a212830</dc:creator>
    <dc:date>2018-03-16T20:40:22Z</dc:date>
    <item>
      <title>Help with line-breaking</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357471#M65274</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I have a feed where it appears that multiple events are being sent on the same line, and I need to break them out.  Can someone help me out?  The break looks like it should be after the Timestamp, these are all appearing on the same line. &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Mar 16 18:44:29 myhostname NTNAME=-SM-XNlwpU2OKY6Z5O9%2fdn3dUlqVlktrStAYeZaWtlO2dtNaD%2f45RYB9%2bb&amp;amp;TARGET=-SM-http%3a%2f%2fshare1%2eapp%2ey%2ecom%2fshare%2fdb%2fGet%2fDocument--2008231%2f s-port=443  cs-username=-   c-ip=x.x.x.x    cs(User-Agent)=Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:58.0)+Gecko/20100101+Firefox/58.0    sc-status=200   sc-substatus=0  sc-win32-status=0   time-taken=62 &amp;lt;13&amp;gt;Mar 16 18:44:29 myhostname AgentDevice=MSIIS  AgentLogFile=u_ex180316 AgentLogFormat=W3C  AgentLogProtocol=W3C    date=2018-03-16 time=18:44:23   s-ip=x.x.x.x    cs-method=GET   cs-uri-stem=/siteminder/ntlm/creds.ntc  cs-uri-query=CHALLENGE=&amp;amp;SMAGENTNAME=-SM-mqLlVsTdZPBzRsxcdlQAR2H4%2bN7cc%2ffYvhe2fzHoB1PFt9kRHccU3f3f0&amp;amp;TARGET=-SM-HTTP%3a%2f%2frtn%2eray%2ezebm%2f   s-port=443  cs-username=-   c-ipx.x.x.x cs(User-Agent)=Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko sc-status=401   sc-substatus=2  sc-win32-status=5   time-taken=31 &amp;lt;13&amp;gt;Mar 16 18:44:29 myhostname AgentDevice=MSIIS  AgentLogFile=u_ex180316 AgentLogFormat=W3C  AgentLogProtocol=W3C    date=2018-03-16 time=18:44:23   s-ip=x.x.x.x    cs-method=GET   cs-uri-stem=/sntnder/ntlm/creds.ntc cs-uri-query=CHALLENGE=&amp;amp;SMAGENTNAME=-SM-mqLlVsTdZPBzRKcdlQAR2H4%2bNqhz7cc%2ffYvhe2fzHoB1PFt9kRHccU3f3f0&amp;amp;TARGET=-SM-HTTP%3a%2f%2fozztn%2fzaay%2gcom%2f   s-port=443  cs-username=-   c-ip=x.x.x.x    cs(User-Agent)=Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko sc-status=401   sc-substatus=1  sc-win32-status=2148074254  time-taken=31 
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 16 Mar 2018 20:40:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357471#M65274</guid>
      <dc:creator>a212830</dc:creator>
      <dc:date>2018-03-16T20:40:22Z</dc:date>
    </item>
    <item>
      <title>Re: Help with line-breaking</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357472#M65275</link>
      <description>&lt;P&gt;Give this a try&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\&amp;lt;\d+\&amp;gt;)
...other timestamp settings...
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 16 Mar 2018 21:13:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357472#M65275</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2018-03-16T21:13:10Z</dc:date>
    </item>
    <item>
      <title>Re: Help with line-breaking</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357473#M65276</link>
      <description>&lt;P&gt;What's that &lt;CODE&gt;&amp;lt;13&amp;gt;&lt;/CODE&gt; all about? Is that actually in the data? If so, could this be as easy as breaking there with your &lt;CODE&gt;LINE_BREAKER&lt;/CODE&gt;?&lt;/P&gt;</description>
      <pubDate>Wed, 11 Apr 2018 12:56:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357473#M65276</guid>
      <dc:creator>sloshburch</dc:creator>
      <dc:date>2018-04-11T12:56:16Z</dc:date>
    </item>
    <item>
      <title>Re: Help with line-breaking</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357474#M65277</link>
      <description>&lt;P&gt;&amp;lt;13&amp;gt; looks like a syslog priority tag to me (encoding user.notice).&lt;/P&gt;

&lt;P&gt;How is this data coming in to your forwarder?&lt;/P&gt;

&lt;P&gt;Anyway, I guess you could indeed break on that &amp;lt;\d+&amp;gt;, or to make it a little safer for &amp;lt;...&amp;gt; stuff to occur elsewhere in the event, include part of the timestamp format as well.&lt;/P&gt;</description>
      <pubDate>Wed, 11 Apr 2018 14:07:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/357474#M65277</guid>
      <dc:creator>FrankVl</dc:creator>
      <dc:date>2018-04-11T14:07:43Z</dc:date>
    </item>
  </channel>
</rss>

